Internet Security Systems - AlertCon(TM)

Blackhat DC, Shmoocon, and GNOME evince

Posted by Jon Larimer on January 10, 2011 at 1:59 PM EST.

Later this month I'll be speaking at Blackhat DC and ShmooCon. The title of my Blackhat presentation is Beyond Autorun: Exploiting vulnerabilities with removable storage. The purpose of this presentation is to highlight how software vulnerabilities can lead to code execution when a user browses files on a removable storage device or even just connects one to their PC. These types of vulnerabilities can be used to spread malware on USB flash drives and to attack physical PCs, without relying on AutoRun. This research was inspired by the LNK vulnerability that Stuxnet used to spread over USB drives, and another recent example of this type of vulnerability is the thumbnail rendering vulnerability in Windows. Both of these vulnerabilities exist because of bugs in Windows shell extensions - code designed to make the user experience more pleasant by allowing custom icons and thumbnail previews for files on the file system. The problem is that files can't always be trusted and these shell extensions will sometimes read and parse file data to show the user more information, even without the user opening the file. This means that a vulnerability in a shell extension can lead to malicious code executing when a user does nothing more than open a folder full of files. This has been observed before with 3rd party shell extensions, but there hasn't been much security research into shell extensions as a vulnerable class of software. My research wasn't limited to just shell extensions, and I'll also talk about how vulnerabilities in USB drivers and file system drivers could be leveraged by attackers with physical access to a PC. I also spent some time investigating how these vulnerabilities affect desktop Linux systems, and I'll be discussing what I found. In fact, I'll demonstrate an interesting proof-of-concept exploit that I developed for a popular desktop Linux distribution that can execute code just by inserting a USB flash drive into a vulnerable PC. Of course, I'll also be talking about how computer users can protect themselves from falling victim to these kinds of attacks.

At ShmooCon, I'm presenting Exploiting AutoRun vulnerabilities on Linux. The focus of this talk will be on vulnerabilities in Linux software could lead to autorun-type attacks. The emergence of Linux as a widely accessible desktop system brought with it the potential for abuse. Having the ability to automatically mount and browse file systems on removable storage devices and generate thumbnail previews for documents also introduces security vulnerabilities. I'll be talking about where to look for vulnerabilities in desktop Linux systems and how they can be exploited. I'll speak in-depth about how I exploited a particular vulnerability and how it's possible to overcome many of the roadblocks that can prevent successful exploits on Linux systems.

So what does this have to do with GNOME Evince? While working on the research for my presentations, I discovered several vulnerabilities in evince, the GNOME document reader software. Evince is also used as a thumbnailer application for the GNOME desktop and the Nautilus file manager, meaning that a vulnerability in it could possibly be exploited just by placing a file in a directory. It also turns out that it's easiest to exploit through the removable storage vector - on a USB flash drive. The bug has been fixed in Ubuntu and our friends over at BigFix have posted a Fixlet on their user support forum that can disable automounting and thumbnailers on Ubuntu entirely.

If you're attending either Blackhat or ShmooCon this month, come check out my talks. If you can't make it, the research paper and slides will be published shortly after the conferences.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.